In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week, including inquiring into where are the chickens in England.

  1. The Supreme Court narrows the definition of who is a whistleblower in Digital Realty v. Somers. See Kevin LaCroix’s report in the D&O Diary, Sam Rubenfeld’s report in the WSJ Risk and Compliance Journal. Henry Cutter surveys white collar defense and vendor reaction in his piece in the WSJ Risk and Compliance Journal.
  2. Banks behaving badly yet again. Mike Volkov reports on Rabobank’s $368MM penalty for conspiracy to money launder and obstruct justice in Corruption, Crime and Compliance.
  3. Bill Coffin hits his 3rd straight homerun. He writes about the ethical and compliance failures of Twitter in his Compliance Week
  4. Companies need to prepare for more robust international investigations and enforcement of anti-corruption laws. Mara Lemos Stein reports in the WSJ Risk and Compliance Journal.
  5. Jaclyn Jaeger reviews due diligence practices for corporate sponsors in Compliance Week.
  6. Curling goes big-time with a doping scandal. An amazed Adam Turteltaub writes in the SCCE Compliance and Ethics Blog.
  7. How can you evaluate in-house investigations? Sundar Narayanan explores in an article in Corporate Compliance Insights.
  8. Hui Chen and Professor Eugene Soltes consider a more analytical approach to testing compliance program effectiveness, in an upcoming Harvard Business Review article (sub req’d).
  9. KFC shuts down in the UK for (wait for it) lack of chicken to fry. Tom considers what is risk in a piece for the FCPA Blog.
  10. Tom had a week-long series on the intersection of Sherlock Holmes and innovation in compliance. Check out the following topics: Digital Strategies; Using the Digital Twin; CCO as Data Interpreter; Interpreting Data; and Digital Future in Compliance.
  11. The Everything Compliance gang is back for wrap up of their highlights from the first year of compliance under Trump. It is available on the FCPA Compliance ReportiTunesLibsynYouTubeand JDSupra.
  12. Tom and Jonathan Armstrong premier a new podcast, Countdown to GDRP. This podcast will consider what US companies can do to prepare for GDPR on its go live date of May 25, 2018. For the inaugural episode, click here. Episode 2 will go up next Wednesday, February 28th.
  13. Tom announces presales of his next book, the Complete Compliance Handbook, which will be published by Compliance Week in April 2018. It is available for PreSale here.

The top compliance roundtable podcast is back with a wrap up with a review of  the first year of the Trump Administration and its impact on the compliance profession. Stayed tuned to the end for riffs and rants in this edition.

  1. Is Jay Clayton who we thought he was? Matt Kelly takes a look at SEC Chairman Jay Clayton and explores some of the SEC’s changes, initiatives and what did not change. Matt riffs on the new compliance officer comedy, which will be piloting on FX television. 

For Matt Kelly’s musings on Jay Clayton, the PCAOB, government rule-making and the SOX compliance debate, see the following: 

8 Compliance Events to Watch in 2018

Clayton, Congress Talk Cybersecurity

The Private Market Stresses Driving SOX Compliance Debate

Framing the Arguments Over SOX Compliance

Treasury Report Eyes SOX Compliance

Regulatory Czar Eyes Agency Guidance

COSO Names New Chairman 

  1. Mike Volkov summarizes the Mueller investigation, using a timeline to highlight where it has been, key pleas from key players and where it may be going. Belying his normal contrarian state, Mike relates how doing yoga has put him in a blissful state. 

For Mike Volkov’s excellent 3-part podcast series on the Mueller investigation and related blog posts, see the following: 

Obstruction of Justice-A Primer

Understanding Special Counsel Mueller’s Authorization

Perspective on the Russian Investigation — Analysis and Review of Manafort/Gates Indictment and Papadopolous Plea (Part I of III)

Perspective on the Russian Investigation — The Michael Flynn Plea Agreement (Part II of III)

Perspective on the Russian Investigation — Next Steps for Special Counsel Mueller’s Investigation (Parts III of III) 

  1. Did anything really change over the past year for the compliance practitioner? Jonathan Armstrong considers what really changed in the world of anti-corruption compliance under the Trump Administration and answers with a resounding Not Much. Jonathan Armstrong rants on Hudson’s News stores at airports which inevitably do not have anything Traveler Armstrong needs.

For the Cordery Compliance client alerts see the following: 

EU Conflict Minerals and Metals Regime

Bribery Due Diligence

Disruptive Technology Start-Ups & The Need For Legal Compliance

New Schrems Case Poses a Threat to International Data Flows? 

  1. In a year where it appeared not much happened in the FCPA, Jay Rosen says the new FCPA Corporate Enforcement Policy is a significant step forward for compliance. Jay Rosen rants on his New England Patriots Super Bowl loss.

For Jay Rosen’s post on the new FCPA Corporate Enforcement Policy see the following:

Jay Rosen’s Most Significant FCPA Event from 2017 – FCPA Corporate Enforcement Policy (or a 5 Min History of How We Got From There to Here) 

The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at

In this episode Matt Kelly and I go meta as we podcast about another podcast that Matt posted this week on his site, Radical Compliance, where he interviewed Paul Sobel, the incoming Chairman of COSO. We discuss how Sobel sees his new role at COSO, some of the initiatives that he has in mind for the organization and how companies can use the various COSO frameworks, including the Internal Controls and ERM frameworks to better manage risk some the strategic perspective.

We use the Sobel interview as a starting point to consider how Boards of Directors can think about risk management for a wide variety of issues, from climate change to cybersecurity to sustainability. We also discuss how the COSO frameworks can be used in conjunction with more tactical forms to create a more robust overall risk management program. Join Matt and myself as we go meta this week and take going into the weeds to a new level.

For Matt Kelly’s interview with Paul Sobol click here.

For Matt Kelly’s blog post on the COSO ERM Framework see, “COSO Debuts Final ERM Framework

For Tom Fox’s blog post on the COSO ERM Framework see, The COSO ERM Framework

Welcome to Episode 10 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition. In this episode, we will focus on the impact of new technologies and artificial intelligence on Compliance profession. We will explore this matter in a plain language so to say and in the simple game form. Moreover, to make the podcast handy and more appealing we attach respective illustration from the Compliance Man illustrated series, created by Timur Khasanov-Batirov.

For those of our listeners who are not aware about our format, in each podcast, we take two typical concepts or more accurately misconceptions from in-house compliance reality. We check out if these concepts work at emerging jurisdictions. For each podcast, we divide roles with Timur, a practitioner who focuses on embedding compliance programs at high-risk markets. One of us will advocate the concept identifying pros. The second compliance man will provide arguments finding cons and trying to convince the audience that we face a pure myth. As a result, we hopefully will be able to come up with some practical solutions for in-house compliance practitioners.

Tom: OK, Tim, let’s get started.

Myth #1 There is no need for Compliance Officer to learn about new technologies as blockchain or artificial intelligence for instance. Tim, would you agree with this statement?

Tim Khasanov-Batirov:

I disagree with this statement. I believe Compliance practitioners should pay attention to new technologies. Let me give you one example. A new bribing scheme might take place by utilizing, for instance, Initial Coin Offerings (ICO) model. This could be done in a simple manner. One is requested to “invest” money to a specified ICO project. One has to pay in hardly trackable cryptocurrency in exchange of tokens. The thing is that ICO (contrary to IPO) is not regulated in the majority of jurisdictions. Thus, there are no mandatory audit or legal requirements, which are able to validate if the project is sound from financial prospective. Consequently, there is no guarantee or obligation that one can expect the return of his money after investing in something, which technically is not illegal. Imagine that a PEP is an ultimate owner of this ICO project. He could get all financial proceeds from “investments” in cryptocurrency, which in certain jurisdiction even is not subject to declaration. While in the US this mechanism will not work due to so-called “Howey test” in other jurisdictions ICO could be used as an innovative bribing scheme.

What are your views, Tom?

Tom:  I agree with your statement, Tim. I have some more points to focus on as well. As the majority of Compliance practitioners are lawyers we have been witnessing how new technologies as artificial intelligence impacts legal profession. The AI technology replaces in-house lawyers in for instance drafting lawsuits. Why AI can’t draft or analyze your Code of Ethics as well? So, as I have mentioned in my posts Using AI in a Compliance Function a compliance practitioner should have a look at opportunities that new technologies bring. This could be process automation for example. The ways to use new technologies in operationalizing Compliance still to be explored.

Tim: Tom, I fully agree with you. There is a great future for utilization of new technologies in Compliance profession.

Tom: OK, Tim. We can formulate the next concept or maybe misconception in the following way:

Myth #2. New tech cannot influence the effectiveness of the corporate compliance program. Tim, will you agree with this concept?

Tim: I strongly disagree with this concept.

As we have discussed earlier new technologies have an impact on the execution of the Corporate Compliance program. The impact of new technologies on Compliance profession I have depicted in the attached new issue of the Compliance man illustrated. Case management systems, which are utilized as platforms for Whistleblowers’ line along databases for due diligence are something to which we are used to already. Technologies allow us to do our work quicker and more effective. At this stage, in-house Compliance community probably is not involved that deeply in new tech, but I believe it is a question of time. What are your views, Tom?

Tom: I would like to reinstate my philosophy, which is based on the necessity to determine not only additional value but also to assess what would bring the biggest bang for your Compliance buck through the greatest contribution to business success. Compliance person has to consider both short and long-term value, as well as projects that might expand into a broader “suite of cognitive capabilities to create competitive advantages.”


Some of the questions that Compliance practitioner should consider are:

  • How critical to your overall compliance strategy is addressing the targeted issue?
  • How difficult will it be to implement the proposed AI solution?
  • How would the benefits merit the efforts and are there other uses for the AI solution?

Hope our discussion attracted the attention of our listeners among Compliance community to role of new technologies in compliance management. Tom Fox and Tim Khasanov-Batirov were here for you.

Join us for the next episode of Compliance Man Go Global episode of FCPA Compliance Report International Edition. Let’s bust more corporate compliance myths with us.

Whether you are ready or not, the EU General Data Protection Regulation (GDPR) goes live on May 25, 2018. It will impact companies doing business in London as much as any other EU legislation. To help US companies prepare, Jonathan Armstrong and myself have started a countdown to GDPR podcast. In this premier episode we discuss what is GDPR and why it is so important that you begin preparing now.

It is quite a wide piece of legislation and covers all personal data. Armstrong noted it is incumbent to remember that the definition of personal information is much wider than the US definition as it includes information such as geographical locations. GDPR applies to anyone doing business in the EU. It could be as simple as having a website which is accessible to people in the EU. GDPR has heightened obligations on data security; in most cases your organization will be required to report data breaches to a UK data regulator within 72 hours of the awareness of the breach. Another distinction is the right for an individual to ask companies what information it may hold on them and to exercise the right to be forgotten. All of these requirements present special challenges for US companies. Finally, one area that has received quite a bit of attention is the fine range. Armstrong noted, “if you’re a small business then you’re subject to a fine of 20 million euros. And if you’re a larger business that fine can be 4% of your global annual general revenue.” Lastly, to top it all off, there is a private right cause of action under GDPR.

Even at this late date, there are steps you can take to begin to get ready. Armstrong laid out three steps a company can take now. First, through a proper plan which is achievable, and concentrates on the main issues, Armstrong believes “that are less likely to get you into trouble with the regulator or expose you to private rights of action.”

Second, Armstrong said you should look at how you relate to individuals, whether they are consumers or employees, you are going to have to be much clearer with them about how you are using data around them. To do so, you will need to engage with marketing and sales teams to provide them with some awareness as to the changes that GDPR is going to make to what they do with individuals and the transparency obligations.

Third is to have a real focus on data security. You will need to make sure that you secure everything that you can, including both soft and hard copies of data. In conjunction with this final point, you must plan for and rehearse data breach responses, because under GDPR you have, in most cases, just 72 hours to respond to a data breach so you need to practice the scenario to be able to do that efficiently.

Near and dear to the compliance professionals heart, Armstrong said it all begins with a risk assessment. This means your corporate compliance function may well play a very large role in your GDPR compliance. From there manage the risks that you see in your data protection and management program. In the Cordery FAQs (FAQs) regarding GDPR it states, “Privacy by design and/or default will not be an add-on, but, instead, will become the norm as businesses will have to incorporate data protection safeguards into their products and services from the beginning.”

You should anticipate the need to appointment a Data Protection Officer (DPO) in your company. The FAQs state:

A DPO will have to be appointed to deal with data protection compliance where:

  • The core activities of the data controller or the processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or,
  • The core activities of the data controller or the processor consist of processing on a large scale of special categories of personal data, namely those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and, the processing of genetic and biometric data in order to uniquely identify a person, or data concerning health or sex life and sexual orientation (which can only be processed under certain strict conditions such as where consent has been given), or, data relating to criminal convictions and offences.

“The DPO must be suitably qualified and is mandated with a number of tasks, including advising on data-processing, and, must be independent in the performance of their tasks – they will report directly to the highest level of management.”

In addition to the basic risk assessment, Cordery advises, companies should undertake ““Data Protection Impact Assessments” (DPIAs). Where processing operations, in particular those using new technologies, “are likely to result in a high risk for the rights and freedoms of individuals,” an impact assessment of the envisaged processing operations on the protection of personal data must be carried out, prior to the processing, “taking into account the nature, scope, context and purposes of the processing.” The new rules also set out other additional criteria that will necessitate an impact assessment. A data protection regulator must also be consulted prior to the processing of personal data where an assessment “indicates that the processing would result in a high risk in the absence of measures taken by a data controller to mitigate the risk”.

DPIAs are likely to become common and should prove to be a very useful tool for businesses in addressing privacy risks.”

For more information, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program. Finally, Jonathan Armstrong will be in Houston on April 10, 2018 to put on a 3-hour workshop on GDPR. The event will be held at the South Texas College of Law, from 9-12 PM. You can find out more information on the event and register by going to the site.